Important legal decisions should be based on an accurate understanding of the law and facts. Unfortunately, that is not the case for the Advocate General’s (AG’s) recent Opinion finding that the Safe Harbor agreement between the U.S. and the EU unlawful. As the U.S. Mission to the EU has also noted, the Opinion suffers from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. It relies on these incorrect facts about PRISM to reach its conclusion, removing the factual basis for its overall findings.
My comments here focus on the Opinion’s incorrect description of U.S. intelligence law and practice. In my experience as a scholar and practitioner in the field, the U.S. has far more extensive legal rules, oversight and other checks and balances on intelligence agencies than is generally true in E.U. member states.
The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013. The scope and nature of the intelligence surveillance far exceeded what most people previously understood. As a long-time legal scholar on these issues, and participant in previous rounds of policy debates, I have shared the view that important new legal checks and balances have been needed on intelligence activities. I also have sympathy and respect for the goals of European data protection law, having written a book on the subject as well as participating in the negotiation of the Safe Harbor itself.
The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013
One response to the public concern was that President Obama created an independent Review Group on Intelligence and Communications Technology, to advise him on how to respond to concerns about intelligence agency activities. In my role as one of the five members, I know that we were briefed at the most classified levels, were provided all of the information and briefings we requested, and issued our 300-page report in December, 2013. The administration informed us that it has adopted at least 70 percent of our 46 recommendations; in addition, all of the major provisions of the USA Freedom Act, passed by Congress in 2015, were derived from Review Group recommendations.
None of these legal and administrative changes is reflected in the AG’s Opinion.
This lapse is particularly troubling because the Opinion based its analysis on the following statement: “In order to ensure effective judicial review of that type of decision, the assessment of its validity must therefore in my view be carried out by reference to the current factual and legal context.” (emphasis added) Unfortunately, the Opinion reached its conclusions with no reference to changes since 2013, and based on a demonstrably incorrect reading of the applicable law.
The central factual inaccuracies of the Opinion concern the PRISM program. It is worthwhile examining this issue in some depth, due to its status as the key factual basis for the AG’s views.
The Opinion bases itself on the Snowden revelations: “According to those revelations, the NSA established a programme called ‘PRISM’ under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the Internet and technology field, such as Facebook USA.” Later, the Opinion states as fact: ‘’Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.” The Opinion says the access covers “in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.” It adds that, for information transferred by a company such as Facebook to the U.S., there is “mass, indiscriminate surveillance.”
As has been widely reported and based on my work on the Review Group, the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. The Review Group, in its Appendix B, set forth privacy protections applicable to Europeans and other non-U.S. persons under the law. Together these show the enormous gap between the statements in the Opinion and U.S. law and practice:
(1) Targeting must be for a valid foreign intelligence purpose in response to National Intelligence Priorities;
(2) Targetings must be under a Foreign Intelligence Surveillance Court (FISC) approved Section 702 Certification and targeted at a person overseas;
(3) All targeting is governed by FISC-approved targeting procedures;
(4) Specific communications identifiers (such as a phone number or email address) are used to limit collections only to communications to, from, or about a valid foreign intelligence target;
(5) Queries into collected data must be designed to return valid foreign intelligence and overly broad queries are prohibited and supervised by the FISC;
(6) Disseminations to external entities, included select foreign partners (such as E.U. member states) are made for valid foreign intelligence purposes; and
(7) Raw data is destroyed after two years or five years, depending on the collection source.
The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized
In addition to the Review Group, the five-member, independent Privacy and Civil Liberties Oversight Board (PCLOB) issued a 191-page report on Section 702 in July, 2014. The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized; indeed, in contrast to the essentially non-existent powers of European Data Protection Authorities in intelligence matters, the PCLOB has the ability to conduct investigations based on classified briefings about the nation’s anti-terrorist surveillance activities. The PCLOB’s general findings are inconsistent with the factual statements in the Opinion: “Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence. The program has operated under a statute that was publicly debated, and the text of the statute outlines the basic structure of the program. Operation of the Section 702 program has been subject to judicial oversight and extensive internal supervision, and the Board has found no evidence of intentional abuse.”
In short, based on investigation by an independent agency, the program has been necessary, effective and governed by law.
The independent Review Group and PCLOB reports refute the factual basis for the AG’s Opinion. Instead of the alleged “unrestricted access to bulk data,” the PCLOB found that the “program does not operate by collecting communications in bulk.” Instead of applying to “all means of electronic communications,” the program applies only to “specific communications identifiers” where the communication is to, from or about a valid foreign intelligence target. Instead of applying “without any differentiation, limitation or exception according to the objective of general interest pursued,” the program applies only to persons and queries for defined foreign intelligence purposes.
The U.S. government’s reforms and review have continued since the Review Group and PCLOB reports. We have witnessed a broader range of changes relevant to EU citizens than most have realized. Early in 2015, the PCLOB issued an assessment of how its recommendations have been implemented, finding: “The administration has accepted virtually all recommendations in the Board’s 702 report.” As one example relevant to the AG’s concern about indiscriminate surveillance unrelated to a legitimate purpose, the PCLOB recommended and the administration has accepted new definitional and oversight procedures about the purpose of each surveillance request. The new procedures create stricter definition and documentation of the purpose of each request, subject to two levels of approval within the NSA as well as independent judiciary review by the FISC.
The Section 702 discussion here illustrates the dense web of rules and oversight that exists for information collection by U.S. intelligence agencies seeking data held in the U.S. Transfer of data to the U.S. therefore does not remove legal protections against intelligence activities compared to data held in the E.U.
photo credit: 3D Scales of Justice via photopin (license)